Professional Documents
Culture Documents
Retail PDF
Retail PDF
dij_jkj_edi;nWc_dWj_ed9ekdY_b
)),(&
H[jW_bFWoc[dj
Ioij[ci GEH
B6G8='%%)
>I:M6B>C6I>DC
=6C97DD@
TABLE OF CONTENTS
INTRODUCTION ................................................................................ 1
INTRODUCTION
The FFIEC IT Examination Handbook (IT Handbook), “Retail Payment Systems
Booklet” (booklet), provides guidance to examiners, financial institutions, and
technology service providers (TSP) on identifying and controlling information
technology (IT)-related risks associated with retail payment systems and related banking
activities.1 Financial institutions, either in consortiums or acting independently, remain
the core providers to businesses and consumers for most retail payment instruments and
services.
Financial institutions accept, collect, and process a variety of payment instruments, and
participate in clearing and settlement systems. In some cases financial institutions
perform all of these tasks, but increasingly, independent third parties play an important
role and financial institution risks are altered if independent third parties are involved.
Federal government-affiliated providers and operators, such as the Federal Reserve
Banks, also compete with numerous financial institutions and private sector firms in
providing various retail payment services.
This booklet replaces chapters 20, “Retail EFT (ATM and POS),” and 21, “Automated
Clearing House (ACH),” in the 1996 FFIEC Information Systems Examination
Handbook. The booklet presents retail payment systems examination guidance in three
parts, followed by examination procedures, a glossary, and references.
1
This booklet uses the terms “institution” and “financial institution” to describe an insured bank, thrift, and
credit union, as well as technology service providers (TSP) providing services to a financial institution.
2
See “Nonbanks in the Payments System,” March 6, 2003, and “A Guide to the ATM and Debit Card Industry,”
April 7, 2003, describing payment flows and clearing and settlement arrangements at
http://www.kc.frb.org/FRFS/PSRmain.htm.
Examiners should use the examination procedures for evaluating the risks and risk
management practices at financial institutions offering retail payment system products
and services. These procedures address services and products of varied complexity, and
examiners should adjust the procedures, as appropriate, for the scope of the examination
and the risk profile of the institution. The procedures may be used independently or in
combination with procedures from other IT Handbook booklets and agency-specific
handbooks and guidance documents.
This booklet references specific services and brand names trademarked by their
respective companies. These references are intended solely to provide a retail payment
systems overview and should not be construed as an FFIEC endorsement of any product
or service noted herein.
A number of important trends in the past decade have influenced retail payment systems.
One such trend is the rapid consolidation of providers of retail payment services. Credit
issuers, merchant acquirers, processing companies, and check processors are
consolidating as firms seek economies of scale. These changes have meant that some
small and mid-sized financial institutions are exiting the business and outsourcing certain
functions of the retail payments process to larger financial and nonfinancial institutions.
Another important trend is the shift from paper to electronic payments. Recent research
has found that consumer use of electronic payments has grown significantly in recent
years, and the trend will accelerate.
Debit and credit cards were one of the key drivers for much of the growth in electronic
payments. Although on-line, or PIN-based, debit cards were introduced in the early
1980’s, rapid adoption has only occurred since the early 1990’s. Off-line, or signature-
based, debit cards, introduced in the late 1980’s, have experienced significant growth
since the mid 1990’s, and recent surveys have found that off-line debit card transactions
have now overtaken on-line debit card transactions by almost a three-to-one margin.
ACH payments also have grown significantly. Consumers traditionally used checks for a
large portion of bill payments in the United States. However, consumers are increasingly
using direct bill payment through the ACH. Despite the increase in electronic bill
payment, many consumers still rely on checks to make a significant portion of their bill
payments. More recently, retail firms have employed check to ACH conversion
processes to allow electronic settlement, thus reducing the number of checks that flow
through the payment system.
Internet-based bill payment systems are transaction origination platforms that allow
customers to initiate bill payments using existing payment systems. Depending on the
bill payment software, service provider, and payment receiver used, the payment
transaction may be processed as an electronic funds transfer (EFT), ACH, or check.3
3
This booklet addresses the risks and controls associated with the bill payment transaction. See IT Handbook
“E-Banking Booklet” for the risks and controls associated with the front-end bill payment application used to
initiate bill payments.
PAYMENT INSTRUMENTS,
CLEARING, AND SETTLEMENT
This section provides an overview of the various payment instruments and clearing and
settlement processes used for different retail payment systems. Although the diagrams
reflect the general flow of transactions and participants, in many cases, other third parties
may facilitate one or more processing functions.
P a y e r (C o n su m e r) P a y e e (M e rc h a n t)
N e tw o rk
Figure 1 displays the clearing and settlement process for retail payments using a standard
four-corner payments model. While the flow of information, data, and funds is different
for each payment instrument, there is a common set of participants for retail payments.
The initiator of the payment, typically a consumer in retail payments, is located in the
upper left-hand corner of the diagram. The recipient of the payment, typically a
merchant, is in the upper right-hand corner of the diagram. The bottom two corners of
the model represent the relationship of the consumer and merchant to their financial
institution. In some cases, third-party service providers will act on behalf of financial
institutions. The payments networks or clearinghouse organizations that route the
transactions between financial institutions are in the middle of the chart. In some
instances, for example check clearing, a financial institution may exchange check items
directly with another financial institution bypassing the clearinghouse. In figures 1
through 8 solid lines represent the flow of information and dashed lines represent the
flow of funds.
CHECK-BASED PAYMENTS
Until recently, consumers used checks more often than any other retail payment
instrument in the United States other than cash. Checks are very convenient payment
instruments. Consumers can use them at the point of sale, for bill payments, and for
person-to-person transactions. Nonetheless, checks comprise a decreasing percentage of
the total non cash payment volume in the United States.
ECP improves the speed of collection and return of checks. It enables check truncation
by using magnetic-ink character recognition (MICR) line information to present checks
electronically to the paying institution for payment. ECP eliminates the need to forward
the paper check physically. Check imaging technology supports ECP and the creation
and use of “substitute checks” stored on secure electronic media for retrieval when
needed.
Increasingly, using ECC, payees convert checks to ACH or EFT transactions. Once the
payee converts the check at the point of sale through ACH or EFT, or in a lock box
environment through ACH, the transaction is governed by existing regulations for
whichever electronic payment network is used.
In the past, financial institutions have agreed among themselves to use various forms of
check truncation, such as using a check image or MICR information from a check to
substitute for the original check. The Check 21 Act (CTA) declares that a qualifying
substitute check shall be the legal equivalent of an original check even in the absence of
institution-specific agreements.4 Such substitute checks must meet certain specified
requirements to be treated as a legal equivalent, and the truncating institution must
indemnify other parties for losses that result from their receipt of a substitute check
instead of the original check. Financial institutions should consider the implications of
the CTA on the institution’s risk profile. Examiners should stay current with anticipated
supervisory guidance that will address the significant risks that can arise from
implementation of the CTA.
4
See BAI for further information at http://www.bai.org/check21/.
CHECK CLEARINGHOUSES
A check includes the names of the payer and the payee, the account number, amount of
the check, and the name of the paying financial institution. The MICR line at the bottom
of the check enables high-speed reader/sorter equipment to process checks. Before
financial institutions process checks, they encode the amount of the check in magnetic
ink at the bottom of the check. Check formats are governed by standards developed by
the Accredited Standards Committee (ASC) on Financial Services, X9B Committee,
which works under procedures sanctioned by the American National Standards Institute
(ANSI).5
Financial institutions clear and settle checks in different ways depending on whether the
checks are “on-us” checks (checks deposited at the same institution on which they are
drawn) or interbank checks (the payer and payee have accounts at different financial
institutions). On-us checks do not require interbank clearing or settlement. Interbank
checks can clear and settle through direct presentment, a correspondent bank, a
clearinghouse, or other intermediaries such as the Federal Reserve Banks.
Under direct presentment, depositary financial institutions can present checks directly to
the paying financial institution. The paying financial institution may settle with the
depositary financial institution through a pre-arranged settlement agreement or settle by
sending Fedwire funds transfers through the Federal Reserve Banks.6
Correspondent banks, acting on behalf of other depository financial institutions, can settle
the checks they collect for other institutions, known as respondents, by using accounts on
their books or using their Federal Reserve Bank reserve account.
Financial institutions can also clear checks through a Federal Reserve Bank or an
independent clearinghouse, where they have formed voluntary associations that establish
an exchange for checks drawn on those financial institutions. Typically, financial
institutions participating in check clearinghouses use the Federal Reserve’s National
Settlement Service to effect settlement for checks exchanged each business day.7 There
are approximately 150 check clearinghouse associations in the United States. Smaller
depository institutions typically use the check collection services of correspondent banks
or the Federal Reserve Banks.
5
See http://www.ansi.org/.
6
See IT Handbook “Wholesale Payment Systems Booklet” for a discussion of Fedwire®.
7
See http://www.frbservices.org/Wholesale/natsettle.cfm.
Clearinghouse
2
4 3
6
5 7
Figure 2 depicts the typical interbank check clearing and settlement process through a
Federal Reserve Bank or clearinghouse. In step 1 the consumer uses a check to pay a
merchant for goods or services. The merchant, after authorizing the check, accepts the
check for payment.8 At the end of the day, the merchant accumulates the checks and
deposits them with its financial institution for collection (steps 2 and 3). Depending on
the location of the paying institution, the funds may not be immediately available. For
deposited checks payable at other financial institutions, the merchant’s financial
institution uses direct presentment for processing or sends the checks to a Federal
Reserve Bank, clearinghouse, or correspondent bank (steps 4 and 6). The check or an
electronic presentment file is sent to the consumer’s financial institution, and the
financial institution’s account at the correspondent, clearinghouse, or Federal Reserve
Bank is debited (steps 5 and 7).9
Consumers may use credit, debit, or stored-value cards to initiate retail payments in face-
to-face or remote transactions. The payee receives funds after the payment clears, but
consumers actually pay before the transaction on a stored-value card, at the same time of
8
Check authorization is typically performed by a TSP and can also include ECC and other electronic payment
services.
9
Under CTA, the original or a qualifying substitute check is needed for presentment unless agreed to otherwise.
the transaction for an on-line debit card, and after a transaction on a credit card. Both
credit and signature-based debit card transactions are processed in batch mode at the
POS, and settlement is delayed until the batches are processed at the end of the day. PIN-
based debit card transactions, although processed in real time at the POS, typically settle
at the end of the day using the ACH. Each of these types of card payments is described
below.
This booklet groups credit or charge cards in three categories: general-purpose credit
cards, co-branded/affinity cards, and private label (store) cards.
Companies with which the cardholder has a relationship issue co-branded cards jointly
with specific financial institutions. They typically offer consumers some kind of rewards
program. Organizations such as sports teams, schools, or service organizations issue
affinity cards jointly with a financial institution which offers compensation in return for
marketing to the merchant’s customers or the organization’s members. The institution
can base its compensation on the number of account applications, the number of accounts
activated, account volume and income, or other defined benchmarks.
BANKCARD ASSOCIATIONS
The two major bankcard associations, Visa and MasterCard, in conjunction with credit
card issuing and acquiring financial institutions, account for the majority of credit and
debit cards in use. Both associations began as bank service companies, owned by
principal member financial institutions. They provided uniform operating policies,
procedures, and controls for bankcard issuance, acquiring, and settlement activities. The
associations own the credit card trademark, granting membership to financially sound
institutions that apply. The associations only allow members to issue cards bearing the
association logo. Members pay transaction and membership fees for use of the bankcard
association logo and services.
10
Certain private label (store) credit card retailers actively manage card issuance and credit relationships
through affiliated financial institutions.
members can perform all of the principal membership functions except sponsor other
members.
The closed-loop credit card networks—American Express, Discover, and Diner’s Club—
compete with the major bankcard associations to promote the use of their cards.
However, in the case of the closed-loop credit card networks, the card issuer and
merchant acquirer are the same financial institution.
Card-issuing institutions are financial institutions that have permission to issue bankcard
association credit cards. Acquiring financial institutions and third parties have contracts
with merchants that accept a bankcard association’s products. The financial institutions
accept and process transactions from those merchants through the association’s network
interchange payment system. The cost of technology infrastructure and level of
transaction volume are high for bankcard-acquiring institutions. Most rely on third-party
processors to perform the functions.11 Under the bankcard association bylaws, acquiring
financial institutions are responsible for the actions of all contracted third-party
processors, and therefore are expected to carefully monitor service provider compliance
with the associations’ operating rules.
The bankcard associations set interchange fees which are paid by the merchant acquirer
to the issuing financial institution. The merchant acquirer typically passes this fee along
with a “discount or acquirer fee” for processing services to its merchants. Bankcard
issuing institutions generate their revenue from the interest charged on revolving
balances, and interchange, late, over-limit, cash advance, and card fees. Merchant-
acquiring institutions, which assist in clearing and settling credit card transactions,
generate most of their revenue from the acquiring and other processing fees (e.g.,
chargeback processing and account maintenance) they charge to the merchant.
11 Non financial institution processors must partner with financial institutions to process merchant transactions.
6
1 Bankcard
Association 5
12 2 7
10 4 8
3 9
11
11
Financial Institution or
Financial Institution or
Third Party
Third Party
Legend: Solid lines represent the flow of information and dashed lines represent the flow of funds.
Figure 3 illustrates the payment and information flows for a typical credit card
transaction. In this example, the consumer pays a merchant with a credit card (step 1).
The merchant electronically transmits the data, at the POS, through the bankcard
association’s electronic network to the card issuer for authorization (steps 2 and 3). If
approved, the merchant receives the authorization to capture funds, and the cardholder
accepts liability by signing the credit voucher (steps 4, 5, and 6). The merchant receives
payment, net of fees, by submitting captured credit card transactions to its financial
institution in batches or at the end of the day (steps 7 and 8). The merchant acquirer
forwards the sales draft data to the bankcard association, who in turn forwards the data to
the card issuer (steps 9 and 10). The bankcard association determines each financial
institution’s net debit position. The association’s settlement financial institution
coordinates issuing and acquiring settlement positions. Members with net debit positions
(generally issuers) send owed funds to the association’s settlement financial institution,
which transmits owed funds to merchant acquirers. The settlement process takes place
using a separate payment network such as Fedwire (step 11).12 The card issuer will then
present the transaction on the cardholder’s next monthly statement (step 12). The
cardholder makes a payment for the charges incurred in accordance with the cardholder
agreement.
12
Each business day, the association’s settlement financial institution receives information from the association
about issuer and acquirer positions, sending Fedwire 1031 draw-down messages to all of its issuers with in-
structions to fund their settlement accounts for those amounts. The association’s settlement financial institution
debits issuer accounts for those amounts and credits the appropriate acquiring financial institution accounts. If
an issuer does not fund its account on time, the association will intercede, cover the short position, and assess a
penalty fee on the issuer.
• On-line debit cards use a PIN for customer authentication and on-
line access to account balance information. In the future,
consumer authentication could also occur through the use of some
other technology, such as a biometric indicator. At present,
financial institutions authenticate customers by matching the PIN
with the account number directly through a merchant’s terminal.
Debit card transactions use the same EFT networks that handle
ATM transactions. Customers may also receive cash at the POS
because messaging between the financial institution and the retailer
confirms funds availability.
As a result of a legal settlement with Wal-Mart and other retailers, beginning in 2004,
merchants will no longer be required to accept Visa and MasterCard off-line debit cards
as a condition for accepting bankcard associations’ branded credit cards. This is a
dramatic change from the longstanding “honor all cards” policy previously established by
the bankcard associations used to enhance merchant acceptance of off-line debit. How
this policy change will affect the popularity and profitability of off-line debit cards with
merchants and cardholders is uncertain.
ATM Cards
Financial institutions issue ATM cards to consumers to provide on-line access to account
information and to allow consumers to make withdrawals and deposits at ATMs.
Consumers typically enter a PIN for authentication at an ATM, although other
authentication methods such as biometric technology are available. Consumers may use
an ATM deployed by other financial institutions or third parties but typically will pay
fees to the ATM owner and their own financial institution. Many financial institutions
now offer ATM cards that can also be used as debit cards for POS transactions at
participating retailers.
EFT/POS NETWORKS
EFT/POS networks process, route, clear, and settle ATM and on-line POS debit card
transactions by linking financial institution card issuers and merchant acquirers,
consumers, merchants, and third-party service providers through telecommunication
gateways. The networks’ primary roles include routing transactions through central
switching gateways, acting as clearinghouses to settle network member “on-us”
transactions, and forwarding “foreign” nonmember transactions for processing.
Most financial institution and nonbank ATM networks are connected to regional and
national EFT/POS networks. Most regional networks are joint ventures owned and
controlled by competing financial institutions. Ownership in regional networks can either
be concentrated in several financial institutions or dispersed among 100 or more member
financial institutions. A few regional networks function as cooperatives, while a single
firm may own and operate one as a profit-making enterprise.
Visa and MasterCard own and operate the two national EFT/POS networks: Visa’s Plus
and MasterCard’s Cirrus ATM networks and Visa’s Interlink and MasterCard’s Maestro
POS networks. These national networks serve as a bridge between regional networks,
and permit transaction information to be routed from one regional network to another.
Financial institutions rely on third-party service providers to conduct ATM and debit card
payment processing. Third-party processors provide a range of retail payment-related
services, including card issuing services, merchant services, account maintenance and
authorization services, transaction routing and gateway services, off-line debit processing
services, and clearing and settlement services. Although merchant acquiring financial
institutions may use third parties to perform many acquiring activities, the acquiring
financial institution is responsible for all third-party processor and merchant activity.
Independent sales organizations (ISO) provide third-party services to install and operate
ATM and POS terminals for financial institutions and merchants. Representing
merchants and community financial institutions, an ISO typically contracts with third-
party processors for a variety of services including ATM and POS terminal driving,
transaction processing, and cash restocking. Some EFT/POS networks require an ISO to
be sponsored by a financial institution member of the network.
1
EFT Network 5
2
4 6 7
3
8
8
Financial Institution or
Financial Institution or
Third Party
Third Party
Legend: Solid lines represent the flow of information and dashed lines represent the flow of funds.
Figure 4 describes a generic, on-line, PIN-based, debit card transaction. The consumer
enters a PIN to authorize the transaction (step 1). The merchant’s financial institution
requests authorization from the consumer’s financial institution through the EFT/POS
network (steps 2 and 3). The consumer's financial institution, or in some cases the
regional network, verifies funds and debits the consumer’s account (step 4). The
EFT/POS network contacts the merchant and authorizes the purchase (step 5). For
settlement, the regional EFT/POS networks determine the net debit and credit positions
of the participating financial institutions and settle their positions using the ACH (step 6).
The acquiring financial institution typically does not credit the merchant's account with
the entire amount of the transaction (similar to credit card clearing). Rather, the merchant
receives the transaction amount, net of applicable fees and other expenses assessed by the
acquiring financial institution and other intermediaries to the transaction (step 7). At the
end of the business day, the issuing and acquiring financial institutions establish a net
settlement of all the transfers between them using the ACH (step 8).
Stored value cards, mostly issued by nonfinancial businesses, have been successful in
limited deployment environments such as mass transit systems and universities. In
addition to cards, nonfinancial businesses have introduced a variety of other physical
forms for carrying the customer account information. These physical devices are small
and easily portable (e.g., key fobs, rings, etc.)
Some stored value cards may also be smart cards if they contain an integrated microchip.
The integrated chip can store value and perform other functions, such as consumer
authentication. The chip can be placed on a stored value card, a credit card, or a debit
card. The chip might also contain consumer preferences and loyalty program information
for marketing purposes.
1 5
EFT Network
4 6
2
7
3
Financial Institution or
Financial Institution or
Third Party
Third Party
Legend: Solid lines represent the flow of information and dashed lines represent the flow of funds.
Stored value card transactions typically follow the pattern in figure 5. The consumer
purchases a stored value card (steps 1 and 2). When the consumer pays for goods or
services with a “smart” stored value card, electronic notations or tokens transfer from the
card to the merchant's cash register (steps 3, 4, and 5). The merchant contacts the
computer network of the financial institution that issued the stored value card and
presents the tokens for payment (step 6). The network notifies the consumer's financial
institution to pay the appropriate sum to the merchant's financial institution and net
settlement occurs at the end of the business day (step 7). The financial institutions keep a
percentage of the payment (the discount) as compensation for the services provided.
If the stored value card is not a smart card, the associated account funds are kept in a
separate account. When a customer uses the stored value card, the merchant sends a
message to the record-keeping entity to determine whether the balance is sufficient for
the transaction. The third party or financial institution then processes the transaction.
This account arrangement may also be used for smart cards, and the accounts are debited
when the merchant presents tokens for payment. Although financial institutions issue
stored value cards and maintain account records, third parties may also be involved in
maintaining individual account records.
Most P2P services charge the receiver of the funds a variable fee depending upon various
factors, including payment method and the sender’s credit history. Payments made with
funds that originated from an ACH transaction are less expensive than transactions made
with funds originated from credit cards. P2P systems may offer the receiver an
opportunity to obtain funds through a check for an additional fee.
1 5
EFT Network
4 6
2
7
3
Financial Institution or
Financial Institution or
Third Party
Third Party
Legend: Solid lines represent the flow of information and dashed lines represent the flow of funds.
On-line P2P payments typically occur using the process described in figure 6. The
sender of the funds must have an account with the P2P service provider (step 1).
Depending upon the service, the funds may come from an existing credit card or
transaction account, or be drawn from a previous balance with the on-line P2P payment
provider (steps 2 and 3). The sender can then designate the e-mail address of the
intended funds recipient (step 4). The P2P network then transfers the funds to the
receiver’s account as an “on-us” transaction. Once the funds reach the receiver’s
account, notice of the transaction is sent through e-mail to the receiver (step 5). The
receiver of the funds must join the service if it does not already have an account (step 6).
The on-line P2P payment service can disburse the funds from the receiver’s P2P account
through an ACH payment, a check payment, an EFT credit, or a credit to a credit card
account (step 7).
Electronic Cash
Financial institutions and retailers are also developing electronic cash payment
instruments. Similar to P2P payments, individuals can transfer electronic cash value to
other individuals or businesses. Most electronic cash applications exist on the Internet.
Consumers can use the cash payment instruments for purchases at retailers’ Web sites or
they can transfer cash to other individuals through e-mail. Prefunded accounts
consumers may use for on-line auction payments or with participating retailers are among
the most recent applications. Individuals use a credit card or signature-based debit card
number to prefund the Web certificate or electronic account, and recipients redeem the
value with the issuer. There are few existing markets for electronic cash payment
instruments, and merchant acceptance and consumer use is generally low.
In addition to the primary ACH transactions, retailers and third parties use the ACH
system for other types of transactions including:
13
See http://www.nacha.org/.
14
EPN is a subsidiary of The Clearing House (formerly known as the New York Clearing House Association).
15
See http://www.frbservices.org/OperatingCirculars/pdf/oc4.pdf for Federal Reserve System Operating Circular
No. 4 on “Automated Clearing House Items.”
Payee (Employee)
Payer (Employer)
1
ACH
Operator
5 4 3 5 2
6 6
Figure 7 depicts a typical ACH credit transaction. In this example, the payer is the
employer and the payee is the employee. The payee authorizes an employer to deposit
his or her paycheck through direct deposit (step 1). The ODFI is the employer’s financial
institution and the RDFI is the consumer’s financial institution. The employer submits its
direct deposit payroll ACH files to the ODFI (step 2). The ODFI verifies the files and
submits them through the corresponding ACH operator (step 3). The ACH operator
routes the transaction to the payee’s financial institution. The financial institution makes
the funds available to the payee by crediting his or her account and debiting the payer’s
account (steps 4 and 5). The ACH operator settles the transaction between the
participating financial institutions (step 6). If the ACH operator is the EPN, final
settlement is done using the Federal Reserve Bank’s National Settlement Service (NSS).
If the ACH operator is the Federal Reserve, final settlement is made directly to the
financial institution’s reserve accounts at a Federal Reserve Bank.
5 4 5 2
3
6 6
Figure 8 depicts a typical ACH debit transaction, in this case a recurring monthly
insurance premium remittance. The payer sends the ACH payment information and
authorization to the payee, in this case an insurance company (step 1). The payee
submits this information to its financial institution (step 2), which routes the transaction
to an ACH operator (step 3). The ACH operator routes the transaction to the receiving
financial institution (step 4). Funds are made available to the payee and the payer’s
account is debited (step 5). The ACH Operator settles the transactions between the
participating financial institutions (step 6). Final settlement is performed as described in
Figure 7.
The Federal Reserve’s Payments System Risk (PSR) policy controls and reduces intraday
credit risk to the Federal Reserve Banks.16 An integral component of the PSR policy is a
program to control the use of Federal Reserve daylight overdrafts. Daylight overdrafts
can occur in accounts at Federal Reserve Banks as well as at financial institutions. A
daylight overdraft occurs at a Federal Reserve Bank when there are insufficient funds in
16
See http://www.federalreserve.gov/paymentsystems/psr/default.htm.
To control daylight overdrafts, the PSR policy establishes limits, or net debit caps, on the
amount of Federal Reserve Bank daylight credit that a depository institution may use
during a single day and over a two-week reserve maintenance period. These limits are
sufficiently flexible to reflect the overall financial condition and operational capacity of
each institution using Federal Reserve Bank payment services. The policy also permits
the Federal Reserve Banks to protect themselves from the risk of loss by unilaterally
reducing net debit caps, imposing collateralization or clearing-balance requirements,
rejecting or delaying certain transactions until sufficient balances exist, or prohibiting an
institution from using Federal Reserve payment services.
The PSR policy established daylight overdraft fees to provide a financial incentive for
institutions to control their use of Federal Reserve Bank intraday credit and to recognize
the risks inherent in the provision of intraday credit. Daylight overdraft fees induce
financial institutions to make business decisions concerning the amount of Federal
Reserve Bank intraday credit they are willing to use based on the cost of using that credit.
The daylight overdraft measurement method, which incorporates a set of nearly real time
transaction posting rules, also supports institutions in controlling their use of Federal
Reserve Bank intraday credit.
The Federal Reserve Banks use the real time Account Balance Monitoring System
(ABMS) to monitor financial institution accounts intraday. For a limited number of
institutions, the system is used to prevent them from incurring daylight overdrafts in their
Federal Reserve Bank accounts beyond a certain threshold (often set to zero) for
Fedwire Funds, NSS, and ACH credit origination transactions. This is referred to as
monitoring the account in real time.
The Federal Reserve Banks require prefunding for any ACH credit origination
transactions settling to the accounts of financial institutions that are monitored in real
time. ACH transactions for accounts that are monitored in real time are also required to
be prefunded on behalf of the account holder and any respondents.
Institution accounts that are monitored in real time must have sufficient available funds
when they process ACH batches that contain forward credit items (credit or mixed
batches with debit and credits). If there are insufficient funds available in the account,
the batch will reject and a notice will be sent to the ACH sending point and to the
settlement financial institution.17
17
See IT Handbook “Wholesale Payment Systems Booklet” for additional information on NSS and PSR policy.
Management and the board should manage and mitigate the identi-
fied risks through effective internal and external audit, physical and
logical information security, business continuity planning, vendor man-
agement, operational controls, and legal measures.
From the initiation of a retail payment transaction to its settlement, financial institutions
are exposed to certain risks. For individual retail payment transactions, risk resulting
from compliance issues and potential operational failures, including fraud, is always pre-
sent. Operational failures can increase costs, reduce earnings opportunities, and impair
an institution’s ability to reflect its financial condition accurately. Participation in retail
payment systems may expose financial institutions to credit, liquidity, and operational
risk, particularly during settlement activities. In addition, a financial institution’s credit,
liquidity, and operational risk may be interdependent with payment system operators and
third parties.
The board of directors is responsible for PSR policy compliance and should ensure
management establishes sound internal operating practices, including compliance with
applicable banking laws and carefully managing retail payment system-related financial
risks. At a minimum, a financial institution’s board of directors should:
The failure of any payment system participant to provide funding for settlement may
precipitate liquidity or credit problems for other participants, regardless of whether they
were party to payments to or from the failing participant. Operational and credit risk can
also contribute to legal (compliance) risk if financial institutions do not follow prescribed
regulations and clearinghouse and bankcard association rules and bylaws. In addition,
financial institutions have significant reputation risk if they do not correct deficiencies.
Risk profiles vary significantly based on the size and complexity of the financial
institution’s retail payment system products and services, information technology
infrastructure, and dependence on third parties. All financial institutions should maintain
an effective internal control environment commensurate with the level of retail payment
products and services they offer. Effective internal controls should include the financial,
accounting, technical, procedural, and administrative controls necessary to minimize risks
in the retail payment transaction, clearing, and settlement process. These measures
reduce operational and credit risks, ensure individual transactions are valid, and mitigate
processing and other errors. Effective controls also ensure supporting information
technology systems and network infrastructure promote retail payment transaction
integrity, confidentiality, and availability.
Financial institutions engaging in retail payment system services should be aware of the
risks inherent in the activity. Even newer, Internet-based, electronic services have
substantial credit and operational risks. Financial institutions should be cognizant of the
reputation and strategic risk of newer services, which may lack consumer acceptance.
Often, participants will also face uncertainty regarding how state and federal laws and
regulations will apply to new payment systems.
Financial institutions have always offered a variety of retail payment services. Advances
in information technology continue to expand the variety of services. The industry trend
is moving from traditional paper-based transactions to all-electronic transaction services.
The newer electronic services increasingly rely on information and network technology,
which require financial institutions to develop strong risk management practices.
Financial institutions should establish internal risk management systems that are
commensurate with the size and complexity of their operations. The systems should be
STRATEGIC RISK
Strategic risk is the risk associated with the financial institution’s future business plans
and strategies. This risk category includes plans for entering new business lines,
expanding existing services through mergers and acquisitions, and enhancing
infrastructure (e.g., physical plant and equipment and information technology and
networking). Financial institutions also increasingly compete with nonbank entities to
provide retail payment services. This competition benefits the consumer through
enhanced product offerings at a lower cost. Conversely, it places additional pressure on
financial institutions to protect profitability through the development of new products and
services while managing additional marketing, research, and development costs.
Strategic plans that include significant market expansion or the addition of new products
may expose financial institutions to increased risk. For example, expanding Internet
banking services to include electronic bill presentment and payment services, expanding
existing bankcard issuing programs, or entering the merchant bankcard processing
business significantly increase the potential risk to the financial institution. Strategic
plans should demonstrate that management has assessed the risks and documented the
institution’s program to mitigate them. Strategic plans should address the institution’s
capability to provide the service.
Larger financial institutions often specialize in specific retail payments and invest in the
resources and expertise to support high-volume transaction processing applications.
Smaller financial institutions also compete in some retail payment segments through the
use of advanced distributed information technology platforms and third-party service
providers. Many retail payment system services are transaction intensive and priced
competitively based on volume. Financial institutions providing large-scale bankcard
issuing and merchant services, as well as other transaction-intensive retail services,
should maintain a competitive operating environment. This often requires significant
investments in information technology. Strategic plans should reflect these investments
and link business-line goals and objectives with planned information technology
enhancements.
To mitigate strategic risk, management should have a strategic planning process that
addresses its retail payment business goals and objectives, including supporting
information technology components. Because financial institutions often rely on third-
party service providers for retail payment system products and services, the strategic plan
should include a comprehensive vendor management program.
18
As proposed under Basel II, financial institutions might need to quantify operational risk.
REPUTATION RISK
Reputation risk is the risk that negative publicity regarding an institution’s business
practices will lead to a loss of revenue or litigation. For retail payment-related systems,
reputation risk is linked with customer expectations regarding the delivery of retail
payment services, and whether the institution is meeting its regulatory and consumer
protection obligations relating to those services. An institution’s reputation, particularly
the trust afforded it by customers and counter-parties can be irrevocably tarnished due to
perceived or real breaches in its ability to conduct business securely and responsibly. In
addition, financial institutions are responsible for risks associated with the activities of
third-party service providers with which they contract. For example, deficiencies in
security and privacy policies that result in the release of customer information by a
service provider may result in reputation damage.
CREDIT RISK
Credit risk is the risk that a party will not settle an obligation for full value. Each retail
payment instrument has a specific settlement process that depends on the entities
involved. Multiple financial institutions, third-party entities, as well as the payer and
payee are involved with creating, processing, and settling the transaction. If a financial
institution uses a third-party service provider, it is responsible for the credit risk exposure
for the services performed. Financial institutions should have procedures in place to
manage the credit risk of third parties using their accounts to settle transactions.
When an institution supplies funds, it usually does not submit a payment for settlement
unless the payer’s financial institution verifies that funds are available in the payer’s
account. Otherwise, there is a credit risk exposure. When an institution receives funds in
a retail payment transaction, it may suffer credit risk from granting funds availability for
account transfers not properly authorized. In the ACH, NACHA has established rules
requiring each ODFI to conduct appropriate creditworthiness monitoring, establish
exposure limits, and periodically review the limits applicable to specific customers.
Returns are another source of credit risk. Checks and direct debit transfers can be
returned if the payer’s institution chooses not to honor the presentment because of
insufficient funds, forgery, fraud, or other payment irregularities. The return time frames
vary for different payment instruments. For an ACH debit, the ODFI grants funds
availability to the originator on settlement day. The credit exposure exists until the RDFI
can no longer return the ACH debit. If not properly authorized, the return time frame
under NACHA rules extends to 60 days from the settlement date.
Bankcards have specific procedures for chargebacks, which are amounts disputed by the
cardholder and “charged back” or reversed out of the merchant’s account. The acquiring
financial institution relies on the creditworthiness of the merchant, but if the merchant
declares bankruptcy, commits fraud, or is otherwise unable to pay its chargebacks, the
acquiring financial institution must pay the issuing financial institution.
The settlement of retail payment transactions, i.e., the transfer of funds between the
parties, discharges the payment obligation. The risk that settlement of retail payment
transactions will not take place as expected can result in both credit and liquidity risks.
Financial institutions should understand and manage credit and liquidity risks related to
the settlement of retail payments. This should include preparing for potential credit and
liquidity issues resulting from incomplete settlement or operational problems.
Settlement lags occur when financial institutions, due to failure or the inability to fund
their obligations, do not settle their obligations when due. Settlement lags result in credit
risk until final settlement occurs. Any payment activity undertaken on the basis of
“unsettled” payment messages remains conditional, resulting in risk. Settlement lags
may also result in liquidity risk. Until settlement is completed, a financial institution is
not certain what funds it will receive through the payment system. As a result, it may not
be sure whether its liquidity is adequate. If an institution overestimates the funds it will
receive when settlement takes place, it may face a shortfall. If the shortfall occurs close
to the end of the day, an institution could have significant difficulty finding an alternate
liquidity source.
Financial institutions often allow their corporate customers to incur intraday or “daylight”
overdrafts. In principle, an institution engaging in this practice is extending credit to its
customer. In most cases, the overdraft is eliminated with incoming funds transfers from
other institutions (or outgoing securities transfers against payment) by the end of the
business day. Daylight overdrafts constitute an extension of credit—no matter how long
they remain unpaid. An institution’s credit policies should include provisions for approv-
ing and monitoring daylight overdraft lines to customers.
LIQUIDITY RISK
Liquidity risk is the current and potential risk to earnings or capital arising from a
financial institution’s inability to meet its obligations when they come due without
incurring unacceptable losses. Liquidity risk related to payment systems is the risk that
the financial institution cannot settle an obligation for full value when it is due but only at
some unspecified time in the future. Liquidity problems can result in opportunity costs,
defaults on other obligations, or costs associated with obtaining the funds from another
source for some period of time. In addition, operational failures may also negatively
affect liquidity if payments do not settle within an expected time period.
Legal risk can result from a financial institution’s failure to comply with the bylaws and
contractual agreements established with the bankcard associations, clearinghouses, and
other counter-parties with which it participates in processing, clearing, and settling retail
payment transactions.
Legal risk also arises from noncompliance with existing consumer protection statutes,
regulations, and case law governing retail payment transactions (e.g., Gramm–Leach–
Bliley Act (GLBA), Truth in Lending Act, Regulation CC, and Regulation E). Customer
retail payment transaction records and corresponding account information are subject to
the GLBA 501(b) provisions, and financial institutions must establish effective
safeguards for protecting this customer information.
Legal measures should ensure compliance with specific laws and regulations pertinent to
retail payment systems. They should also ensure compliance with general consumer
protection rules that allocate responsibility and establish the minimum procedural
measures that must be fulfilled before shifting the responsibility to another party.
Contractual terms may further define responsibilities within the legal framework, and
contracts between financial institutions, customers, and third-party service providers may
further integrate risk-sharing responsibilities applicable to payments made through a
specific clearing or settlement arrangement.
Patriot Act
The USA Patriot Act contains measures to prevent, detect, and prosecute terrorism and
international money laundering. Such acts may be perpetrated using retail payment
systems. These acts may occur in many ways, including those in which a financial
institution does not properly authenticate its accountholders for retail payment
transactions. Title III of the USA Patriot Act amends the Bank Secrecy Act and provides
the Treasury Department and federal agencies with enhanced authority to combat
international money laundering and block terrorist access to the U.S. financial system.
Sections 311, 312, 313, 314, and 319 generally require U. S. financial institutions to
establish appropriate and, if necessary, enhanced due diligence procedures to detect and
report instances of money laundering and terrorist activity.19 In addition, section 326
requires financial institutions to document authentication of various payment accounts
and maintain that documentation.
Operational risk can also arise from fraud. A financial institution’s exposure to
operational risk from fraud is the risk that a wrongful or criminal deception will lead to a
financial loss for one of the parties involved. Currency and checks are more vulnerable
to loss or direct theft, whereas fraud is the primary concern in bankcard payment
transactions. Fraud is a significant concern for ACH, especially one-time ACH debit
transactions. The continuing growth of check-to-ACH conversion presents many new
fraud risks.
Newer retail payment mechanisms, particularly using the Internet, are also subject to
fraud risk. The creation of fraudulent electronic transactions could lead to financial
losses if fraudulent balances are successfully exchanged for a readily transferable form of
money, such as currency, or other assets.
19
See IT Handbook “Wholesale Payment Systems Booklet” for additional information. FFIEC agencies have
revised their Bank Secrecy Act (BSA) examination procedures to reflect the USA Patriot Act.
System measures include monetary and time limits (per transaction, per payment
instrument, per client), and personal authentication and encryption techniques to ensure
the authenticity of the payer and transaction information integrity. Additional controls
include the use of certified tamper-resistant equipment (e.g., EFT/POS terminals), logical
access controls to verify transactions, on-line verification of account balances, logging of
all transactions and attempts to make a transaction, and the use of serial numbers and
check digits.
Procedural measures include appropriate dual custody and separation of duties for critical
payment transaction processing and accounting tasks, payment data verification, clear
error processing and escalation procedures, and confidential and tamper-resistant mailing
procedures for bankcards and other sensitive material. Administrative measures should
include IT audit coverage of operational controls, legal controls (including regulatory
compliance and agreements), and personnel issues associated with staffing and training.
In the event of unauthorized use of a payment card, the cardholder’s liability is limited to
a specified amount if he or she notifies the card issuer of the theft or loss within a set time
limit. To limit their own losses from POS card fraud, the bankcard associations require
vendors to match the cardholder’s signature on the card with the signature on the
payment voucher at the point of sale. The associations have also introduced extensive
monitoring and reporting controls to limit fraudulent bankcard activity.
AUDIT
Action Summary
Due to the potential large retail transaction volumes and associated
dollar value when initiating payments, internal audit coverage is criti-
cal for effective oversight of the financial institution’s retail payment
systems.
An effective audit function should include internal and external audit coverage tailored to
the complexity of the institution. Due to the potentially large retail transaction volumes
and associated dollar value when initiating payments, internal audit coverage is critical
for effective oversight of the financial institution’s retail payment systems. The audit
coverage should be sufficient to validate the internal control environment surrounding the
processing, clearance, and settlement of retail payment transactions. Auditors should
perform an evaluation of the financial institution’s retail payment system business lines
on the basis of overall risk to the financial institution. Based on the evaluation they
should develop an appropriate schedule of audits. Auditors should review accounting
controls and assess the effectiveness of transaction processing, clearance, and settlement
processing procedures.
The board of directors should ensure the information technology audit program tests
retail payment system internal controls, management policies, and procedures. IT audit
coverage should include the design and implementation of retail payment products, and
include the supporting information technology environment encompassing internal data
centers, contingency sites, and network infrastructure. IT audit coverage should also
verify the adequacy of internal controls in applicable business lines responsible for
managing day-to-day retail payment system services. In addition, internal audit should
assess the comprehensiveness of the institution’s vendor management program and
ensure the institution is appropriately managing vendor risk.20
INFORMATION SECURITY
Action Summary
Financial institutions must implement the appropriate physical and
logical security controls to ensure retail payment system transactions
are processed, cleared, and settled in an accurate, timely, and reli-
able manner. Security risk assessments should consider physical and
logical security controls for the origination, approval, transmission, and
storage of retail payment system transactions. Physical controls should
limit access to only those staff assigned responsibility for supporting the
operations and business line centers processing retail payment and
accounting transactions. Physical controls should also provide for the
ability to monitor and document access to these facilities. Logical
controls should include appropriately identifying and authenticating
retail payment system customers to help ensure retail payment systems
integrity.
Financial institutions must implement the appropriate physical and logical security
controls to ensure retail payment system transactions are processed, cleared, and settled
20
See IT Handbook “Audit Booklet.”
in an accurate, timely, and reliable manner. Retail payment systems contain confidential
customer information subject to GLBA section 501(b) security guidelines. The board
and management are responsible for protecting the confidentiality, integrity, and
availability of these systems and data. The privacy risk combined with the funds transfer
capability should cause these systems to rank high in all institutions’ information security
risk assessments. Those risk assessments should consider physical and logical security
controls for the origination, approval, transmission, and storage of retail payment systems
transactions.
Physical controls should limit access to those staff assigned responsibility for supporting
the operations and business line centers processing retail payment and accounting
transactions. Physical controls should also provide for the ability to monitor and
document access to these facilities.
Logical access controls should restrict access on a need-to-know basis and assign access
to retail payment applications and data based on functional job duties and requirements.
Logical access control should also protect network access. An institution’s risk
assessment should require it to protect retail payment systems from unauthorized access
through appropriate network configuration, firewalls, or intrusion detection. The
assessment should review the security of all third-party service providers as well. Some
institutions accomplish this by isolating all payment-related applications and systems
from other production applications.
The use of newer technologies, including smart cards, wireless phones, and the Internet,
presents new security challenges. It is increasingly difficult to implement effective
identification and authentication techniques as well as verifying the integrity of the
transaction data while preventing customer repudiation.
Many electronic banking applications use Internet-based open network standards and rely
on commonly accepted technologies to secure transmissions (e.g., secure socket layer
[SSL] or virtual private networking [VPN]). The institution should establish a secure
session from the time a consumer enters their personal banking information to the time of
final data transmission.
Retail payment systems should incorporate sufficient security procedures and controls to
verify the integrity of the data, the confidentiality of the transmission, and the
authenticity of the communication partners and data sources. To discourage fraudulent
transactions, management should consider implementing multi-factor authentication
techniques for sensitive retail payment applications. Using digital certificates, leveraging
the PKI (public key infrastructure), and employing biometrics, and card or token-based
techniques can provide cost-effective solutions for augmenting traditional technical
controls.21
Action Summary
Financial institutions should evaluate the extent to which retail pay-
ment system products and services provide mission-critical services.
Management should perform business impact analyses, and develop
business continuity plans accordingly. Management should also con-
duct an appropriate level of testing to ensure the institution meets cus-
tomer and counter-party expectations and requirements. Vendor
management programs should include provisions for the restoration of
service at service providers in the event of a disruption and evaluate
service provider business continuity test plans.
For financial institutions offering basic retail payment products and services (e.g.,
bankcard issuance, check item processing, branch ATM access, and Internet banking
services), business continuity plans should include appropriate recovery targets for each
21
See IT Handbook “Information Security Booklet” and the FFIEC authentication guidelines “Authentication in
an Electronic Banking Environment”, August 8, 2001.
22
See IT Handbook “Business Continuity Planning Booklet.”
retail product. The recovery targets should consider the reliance on any third-party
vendors in meeting their objectives. Vendor management programs should include
provisions for the disruption and restoration of service at service providers, including the
consideration of service provider test plans.
For financial institutions and service providers with complex retail payment operations,
business continuity plans should enable restoration of service within time frames that are
reasonable for internal business units as well as other dependent financial institutions and
counter-parties. Financial institutions providing significant card issuing, merchant
processing, EFT/POS, ACH, and retail payment-related Internet banking services should
also test these plans periodically with customer financial institutions and counter-parties
to ensure plans are sufficient.
Action Summary
Financial institutions must establish and maintain effective vendor and
third-party management programs.
Some financial institutions rely on third-party service providers and other financial
institutions to provide retail payment system products and services to their customers.
Many retail payment services are directly related to core processing financial institution
operations (e.g., accessing demand deposit accounts through the use of financial
institution-issued bankcards) and may be run in-house through the use of purchased turn
key systems. However, institutions contract many retail payment-related services to third
parties either to enhance the services performed in-house or to offer new retail payment
services that are otherwise not cost effective.
501(b). Contractual provisions should define the terms of acceptable access and potential
liabilities in the event of fraud or processing errors.23
OPERATIONS
Action Summary
Financial institutions should develop and implement effective opera-
tional risk management programs to mitigate the risks of providing re-
tail payment system services and products.
Financial institutions should adopt measures that limit operational risks for the
processing, clearing, and settlement of retail payments. Financial institutions and service
providers participating in clearing and settlement arrangements for retail payments should
ensure operational reliability for timely completion of daily processing through adequate
information systems, internal controls, backup facilities, reliable technology, and
adequate staff training and support. Furthermore, organizations should adopt business
continuity plans to provide solutions and to manage interruptions. Risk analysis should
identify confidential assets, critical operations, and potential threats. It should also define
safeguards and countermeasures to provide appropriate protection.
Institutions can control fraud risk by using fraud databases and fraud analysis tools.
Some bankcard associations and Internet-banking applications use neural network
technologies or behavioral fraud analysis. They represent specialized software and
hardware designed to identify patterns of behavior, allowing financial institutions to
identify suspicious transactions or spending. The bankcard associations have also
developed numerous fraud detection and avoidance systems that member financial
institutions can use to reduce losses as a result of fraudulent bankcard use. The growth of
e-commerce has led many institutions and service providers to develop additional
databases to provide early identification of potential fraud.
Institutions can also mitigate operational risk by identifying and evaluating potential legal
and compliance risks. They can effectively manage operational risk by establishing the
appropriate legal review process for the products and services offered. The review
process should ensure there are defined roles and responsibilities for retail payment
services, specifically for the financial institution and its customers. Reliance on third
parties for retail payment products and services should also require a thorough legal
review process that supports an effective vendor management program. Institutions
should also enforce the regulations and consumer compliance mandates that apply to
retail payment services (e.g., Regulation E).
23
See FFIEC outsourcing guidelines, “Risk Management of Outsourced Technology Services”, November 28,
2000, and the IT Handbook, “Outsourcing Technology Services Booklet.”
CHECKS
Return items are a major risk facing institutions that collect checks. A check will be
returned to the depositary financial institution if the paying financial institution
determines not to pay it (return item). Reasons for returned items include insufficient
funds in the account, a closed account, a stop payment order, a fraudulent signature, or
failure of the paying financial institution.
The Expedited Funds Availability Act (Regulation CC) obligates institutions to make
funds available for customer withdrawal in accordance with mandatory schedules. Thus,
a depositary financial institution may be required to make funds available to the customer
before an unpaid check is returned to the depositary financial institution. When the
depositary institution receives a return item, it will charge back its depositing customer’s
account for the item even if it has already made the funds available to the depositing
customer.
The depositary is exposed to credit risk if the customer does not have sufficient funds in
his or her account to cover the returned check. When a paying financial institution
returns the item to the depositary, the paying institution does not have to return the item
through the same clearing mechanism from which it received the item.
One compensating control for check return items is credit monitoring. Financial
institutions should perform a credit assessment of those customers for which they collect
large dollar volumes of checks. Financial institutions should also monitor the payment
activity of their customers and take appropriate action when credit limits are exceeded.
Regulation CC requires that when a paying financial institution decides to return a check
of $2,500 or more, it must provide a notice of nonpayment to the depositary financial
institution in case the customer tries to withdraw funds represented by the “bad” check.
Using electronic check presentment (ECP) for payment may reduce risk to depositary
financial institutions because it permits them to deliver check data to paying financial
institutions more quickly than with checks. The shorter delivery time permits paying
financial institutions to (1) identify checks that cannot be paid and (2) notify the
depositary financial institution about those returned checks using an electronic return
notice, up to one day earlier than would occur with the physical exchange of paper
checks.
CREDIT CARDS
For credit cards, credit losses and fraud losses are two of the most significant risks to an
institution. Credit losses (because of contractual delinquency and bankruptcy) account
for the majority of credit card charge-offs. Fraud involving credit cards includes unau-
thorized use of lost or stolen cards, fraudulent applications, counterfeit or altered cards,
and the fraudulent use of a cardholder’s credit card number for card-not-present transac-
tions.
This has become a significant issue for many on-line retailers processing card-not-present
transactions. The major bankcard associations, however, are introducing services to
reduce the liability of merchants. Under one initiative, issuers will assume losses for
fraudulent transactions if the payment was authorized using the bankcard association’s
authentication technique.
One control method financial institutions use to reduce risk is the authorization process
(approval of credit transaction). For example, when the merchant swipes the bankcard,
the issuer can deny authorization of the transaction if the consumer is over his or her
credit limit, is delinquent, or if the card has been reported as stolen. Financial institutions
can also employ the address verification service (AVS) to verify a cardholder’s billing
address and other pertinent information (used for mail, telephone, and Internet
transactions).
DEBIT/ATM CARDS
For debit or ATM cards, there is the risk that unauthorized individuals will obtain them
and make fraudulent transactions. There is also a risk to customers’ physical safety at
ATM locations. Financial institutions and service providers should mitigate these risks
by executing financial institution-merchant and financial institution-customer contracts
that delineate each party’s liabilities and responsibilities. Institutions should also
establish adequate physical safeguards including the installation of surveillance cameras
and access/entry control devices. State and federal statutes protect consumers by limiting
their liability if they give notice of lost, stolen, or mutilated cards within a specified
period.
CARD/PIN ISSUANCE
Financial institutions also assume certain fraud-related risks when issuing credit, debit,
and ATM cards, either in-house or under contract to third parties. Inadequate internal
controls or ineffective card and PIN issuance procedures may result in fraudulent
customer transactions. Inappropriate separation of duties that allow employees access to
both customer account and PIN information exposes the institution to potential employee
fraud.
The embossing and encoding of blank plastic card stock, if done in-house, should be
performed in a secure area and include blank card stock inventory controls, accounting
controls for the number of cards used (including test and reject cards), and dual controls
for blank card stock storage. Procedures for the interim storage of card stock and
accounting should exist for all cards not under dual control. Adequate controls should
also exist for captured cards.
Accountability controls should also be established to ensure all cards initially disbursed
from the storage area are delivered to the mail area or destroyed. Returned cards should
be handled by a function independent of the mail department. Control cards should be
mailed randomly to customers and their delivery validated within a few days to ensure
that no theft has taken place.
PIN generation should be performed at the time of card issuance. Active PIN
information should be controlled, including encrypting PIN information on storage
devices, and access to PIN databases should be restricted on a need to know basis. Staff
access to PIN information should be reviewed periodically to confirm access controls are
working effectively.
The PIN should not appear in printed form, and staff members should not be able to
retrieve or display a customer PIN on-line. PIN mailers should be processed and
delivered with the same level of security used for mailing cards, and an active PIN should
never be included with the card when mailed to a customer.
The PIN should not be transmitted unencrypted and the PIN system should record the
number of unsuccessful PIN entries, restricting access to a customer's account after a
limited number of attempts. If a PIN is forgotten, the customer should select a new one
rather than having staff retrieve the old one.
For institutions that outsource these functions to third parties, written agreements should
define roles and responsibilities and detail control and problem resolution procedures.
Effective vendor management should include a periodic review of third-party control
environments and relevant internal and external audit reports.
MERCHANT ACQUIRING
For merchant processors, significant operational (transaction) and credit risks require
careful monitoring. Chargebacks can create significant credit risk to merchant processors
if their merchants cannot honor chargebacks from cardholder disputes. When the
merchant is unable to pay its chargebacks due to bankruptcy or fraud, the acquiring
financial institution must cover the chargeback and pay the issuing bank. Acquiring
financial institutions should carefully manage the merchant portfolio and employ
Operational (transaction) risk is also present in the bankcard clearing process when sales
information is transmitted to card-issuing institutions.24 Operational risk can also arise
from improper processing of bankcard transactions, inadequate internal controls,
employee error or malfeasance, and other operational challenges.
ACH
For ACH credit entries, the ODFI incurs credit risk upon initiating the entries until its
customer funds the account. The RDFI incurs credit risk if it grants funds availability to
its customer prior to the final settlement of the credit entry. For ACH debit entries, the
ODFI incurs credit risk from the time it grants funds availability to the originator (usually
on the settlement day) until the ACH debit can no longer be returned by the RDFI. If the
transaction is properly authorized, returns must be made no later than the second banking
day following settlement. If not authorized properly, the financial institution exposure
can be up to 60 days from when it sends a periodic statement to the consumer. An ODFI
will normally charge back a returned ACH debit to the originator. However, the ODFI
24
Information is sent to the bankcard associations first, then the issuing financial institutions. The associations
specify debit and credit postings.
may suffer a loss if the originator's account has insufficient funds, is closed, or is frozen
because of bankruptcy or other legal action.
An RDFI should establish prudent overdraft and funds availability policies and practices
to mitigate its credit exposures. Credit risk, with respect to a debit entry, arises if the
RDFI allows the debit to overdraw its customer's account. To manage its credit
exposures, an ODFI (and its service provider) should monitor the creditworthiness of its
customers and establish and periodically review ACH exposure limits for them. In
addition, an ODFI should implement procedures to monitor ACH entries relative to the
originator's exposure limit across multiple settlement dates.
When a financial institution fails to comply with the NACHA rules, it exposes itself to
contractual liability and fines. In addition, Regulation E applies to electronic financial
services, including ACH transactions. The notice, authorization, and timing requirements
of Regulation E are of particular importance. Noncompliance with Regulation E exposes
a financial institution to litigation and civil money penalties. Financial institutions should
also monitor their compliance with Office of Foreign Assets Control (OFAC)
requirements concerning the accounts of blocked parties.
Financial institutions should understand the impact that ACH transaction risk has on their
liquidity. For example, an ODFI may not be able to settle (collect) an ACH debit, or an
RDFI may not be able to settle an ACH credit because of fraud, service disruption, or the
default of an ACH Network participant. This could impair the financial institution’s
ability to meet its other obligations without incurring losses. Financial institutions should
consider the volume of their uncollected ACH transactions as part of their liquidity risk
management practices.
While a financial institution’s responsibilities do not change with the use of a third-party
for ACH processing, its risk exposure may increase as a result of third-party direct access
to an ACH operator. A third-party service provider may transmit ACH transactions
directly to an ACH operator using the ODFI routing number, provided it has obtained
permission from the ODFI. However, it is the ODFI that warrants the validity of each
entry transmitted by the service provider, including the basic requirement that a receiver
has authorized all entries. To reduce risk to all parties, the financial institution should
establish controls over third-party service provider operations. The ODFI should
maintain control over its settlement accounts.25
25
See Interagency Outsourcing Guidance and IT Handbook “Outsourcing Technology Services Booklet.”
The NACHA rules require the ODFI to have an agreement with the third-party service
provider with direct access to an ACH operator. Although the federal regulators do not
enforce the NACHA rules, a financial institution with appropriate risk management will
have an agreement. NACHA specifies that the agreement sets out the rights and
responsibilities of all parties, including:
26
The ACH operator usually requires an authorization from the ODFI before processing a file. Failure to receive
ODFI authorization will result in the ACH operator deleting the file, giving the ODFI control over its exposure
from files originated or subsequently changed by a third-party service provider.
Financial institutions are exposed to numerous risks in providing retail payment system
services to customers. Depending on the complexity of retail payment system activity,
the examination coverage may require an integrated team approach that includes the
knowledge and skills of safety and soundness examiners, IT examiners, and credit and
compliance specialists.
1. Review past reports for comments relating to retail payment systems. Consider:
2. Review past reports for comments relating to the institution’s internal control
environment and technical infrastructure. Consider:
• Internal controls, including physical and logical access controls in the data
entry area, data center, and item processing operations.
4. Review the financial institution’s response to any retail payment systems issues
raised at the last examination. Consider:
• Data center and network management and the quality of internal controls
over internal ATM networks and gateway connectivity to regional and
national EFT/POS and bankcard networks.
• Ability to recover transaction data and supporting books and records based
on retail payment system business line requirements and time lines.
3. Review internal procedures employed for each bankcard product and assess:
5. Review a sample of consumer contracts for each bankcard service to ensure they
adequately describe the responsibilities and liabilities of the institution and its
customers (compliance with Regulation Z).
• Agent bank programs (for which the financial institution performs merchant
processing for other institutions), and the level of liability assumed by the
acquiring financial institution.
• Appropriate financial and accounting controls are in place to clear and settle
ATM transactions.
Objective 5: Determine the quality of risk management and support for ACH
processing activity.
1. Determine the extent to which the financial institution engages in retail payment
systems, including bill payment, stored-value cards, and P2P payments.
Consider:
• The extent to which existing Internet and e-banking products and services
include new retail payment mechanisms.
2. Determine whether the institution uses electronic check presentment (ECP) for
payment. If yes, consider:
CONCLUSIONS
• Determine and document to what extent, if any, the examiner may rely upon
retail payment systems procedures performed by internal or external audit.
4. Discuss your findings with management and obtain proposed corrective action
for significant deficiencies.
6. Organize work papers to ensure clear support for significant findings and
conclusions.
• Contracts with regional EFT/POS network switch and gateway operators and
bankcard processors clearly set forth the rights and responsibilities of all
parties, including the integrity and confidentiality of customer information,
ownership of data, settlement terms, contingency and business recovery
plans, and requirements for installing and servicing equipment and software.
• Adequate agreements are in place with all vendors supplying services for
retail EFT/POS and bankcard operations (plastic cards, ATM equipment and
software maintenance, ATM cash replenishment) that clearly define the
responsibilities of both the vendor and the institution.
1. Assess staff access to PIN data. Ensure there is separation of duties between
staff responsible for card operations and staff responsible for preparing or
issuing bankcards.
2. Assess the PIN generation process. Ensure there is separation of duties between
staff responsible for PIN generation and staff responsible for opening accounts
or with access to customer account information.
3. For new PIN issuance, assess the adequacy of control procedures including
accountability assigned to staff initiating such transactions.
5. Assess the threshold for PIN access attempts to customer account information
and funds. The threshold parameter should be set at a reasonable number of
unsuccessful attempts.
6. Assess the level of PIN encryption when stored on computer files or transmitted
over telecommunication lines.
7. If resets are allowed, assess the procedures and controls for PIN/password
resets. The use of single-use and temporary PIN/password is preferred.
8. Assess the adequacy of procedures for prohibiting PIN information from being
disclosed over the telephone.
10. Assess customer PIN selection criteria, focusing on whether the institution
discourages or prevents customers from using common words, sequences of
numbers, or words or numbers that can easily identify the customer.
1. Evaluate the logical and physical security controls to ensure the availability and
integrity of production retail payment systems applications. Consider:
• Whether the physical and logical security controls established for retail
payment transaction processing, clearance, and settlement services maintain
transaction confidentiality and integrity.
• Whether physical controls provide for the ability to monitor and document
access to all retail payment operations facilities.
2. Evaluate the effectiveness of all logical access controls assigned for staff
responsible for retail payment-related services. Consider:
3. Evaluate the security procedures for periodic password changes, the encryption of
password files, password suppression on terminals, and automatic shutdown of
terminals not in use.
2. Assess effectiveness of the dual control procedures for blank card stock in each of
the encoding, embossing, and mailing steps.
3. Assess physical access controls for card encoding areas. Management should allow
access to authorized personnel only.
4. Assess whether inventory controls for plastic card stock make them physically
secure.
6. Assess procedures for issuing cards from more than one location (e.g., branches) to
ensure there are accountability and bankcard control procedures at each card-
issuing location.
7. Assess institution card-mailing procedures. Ensure the institution mails the card
and associated PIN to customers in separate envelopes. Also ensure that the return
address does not identify the institution.
9. Assess returned card procedures. Determine whether adequate controls are in place
to ensure returned cards are not sent to staff with access to, or responsibility for,
issuing cards.
10. Assess whether there is appropriate follow-up to determine whether the correct
customer received the card and PIN.
11. Assess the adequacy of control procedures (e.g., hot card lists and expiration dates)
to limit the period of exposure if a card is lost, stolen, or purposely misused.
12. Establish whether the institution destroys captured and spoiled cards under dual
control and maintains records of all destroyed cards.
13. Assess whether the institution adequately controls test or demonstration cards.
14. Assess whether management maintains satisfactory controls over the issuance of
replacement or additional cards to the customer (e.g., temporary access cards issued
to the customer).
15. Assess the vendor management program to determine whether the institution
reviews card issuance services contracted to third parties for compliance with
appropriate bankcard control procedures.
1. Assess the financial institution’s business continuity plans and review the adequacy
of these plans for a partial or complete failure of each retail payment system.
Determine if the plans include:
1. Assess the adequacy of reconciliation processes for general ledger accounts related
to bankcard and debit card transaction processing activity. Consider whether:
2. Assess the adequacy of the daily settlement process for institutions participating in
shared EFT/POS networks or gateway systems.
4. Assess the adequacy of the investigative unit in place to address customer inquiries
and control nonposted items, rejects, and differences. Management should
periodically receive aging reports that list outstanding items.
5. Assess the separation of duties for the bankcard and EFT/POS account posting
process including receipt of transactions, file updates, adjustments, internal
reconcilement, preparation of general ledger entries, posting to customers accounts,
investigations, and reconcilement with third-party service provider network
switches and card processors.
6. Assess the effectiveness and accuracy of the adjustment process (e.g., changes to
deposits and reversals) relating to retail EFT/POS and bankcard transactions
processed by staff.
• Appropriate credit and liquidity risk measures for the bankcard and acquiring
business lines.
• Proper control of all source documents (e.g., checks for deposit) maintained
throughout the daily processing cycle relative to
Input preparation,
Reconcilement of item counts and totals,
Output distribution, and
Storage of the instruments.
2. Assess terminal and operator identification codes used for all retail ATM and POS
transactions.
3. Assess controls in place to prevent customer charges from exceeding the available
balance in the account or approved overdraft lines.
4. Assess access controls for terminals used to change customer credit lines and
account information.
5. Assess retail EFT equipment keyboards or display units to ensure that they are
properly shielded to avoid disclosure of customer IDs or PINs.
6. Assess receipt issuance to ensure customers receive a receipt showing the amount,
date, time, and location for retail EFT transactions in compliance with Regulation
E.
7. Assess whether each retail EFT transaction is assigned a sequence number and
terminal ID to provide an audit trail.
8. Assess whether the institution regularly updates hot card or customer suspect lists
and distributes them to branch banking locations.
10. Assess security devices and access control procedures for EFT/POS, bankcard, and
acquiring processing facilities to ensure appropriate physical and logical access
controls are in place.
3. Determine if the ODFI has established ACH exposure limits for originators.
Consider whether:
• The limit is based on the originator's credit rating and activity levels.
• Limits have been established for originators whose entries are transmitted to
the ACH operator by a service provider.
• A separate limit for WEB entries and other high-risk ACH transactions, as
warranted, have been established.
• The ODFI adjust limits for changes in an originator’s credit rating and
activity levels.
• Entries in excess of the exposure limit receive prior approval from a credit
officer.
• WEB entries and other high-risk ACH transactions (as warranted) are
separately accumulated and monitored, yet integrated into the overall ACH
transaction monitoring system.
6. Assess the RDFI’s overdraft and funds availability policies and practices and
determine if they adequately mitigate its credit exposures to ACH transactions.
• The ODFI receives summaries or full audit reports from the originators.
8. Determine how the ODFI or RDFI manages its relationship with third-party service
providers. Consider whether:
9. Determine if the ODFI allows third-party service providers direct access to an ACH
operator. Consider whether agreements between the ODFI and the service
providers include:
• A requirement that the service provider obtain the prior approval of the
ODFI before originating ACH transactions for originators under the ODFI
routing number.
• The establishment by the ODFI of dollar limits for files that the service
provider deposits with the ACH operator.
10. Determine whether the RDFI has established procedures to deal with consumers’
notifications regarding unauthorized or improperly originated entries or entries
where authorization was revoked.
12. Determine if the RDFI has procedures that enable it to freeze proceeds of ACH
transactions in favor of blocked parties (under OFAC sanctions) for whom the
RDFI holds an account.
13. Determine if the financial institution considers the volume of its uncollected ACH
transactions as part of its liquidity risk management practices.
14. Determine if management and personnel display adequate knowledge and technical
skills in managing and performing duties related to ACH transactions.
15. Review results from the financial institution’s NACHA rule compliance audit.
Determine:
• Whether the board or its committee reviewed and approved the audit.
1. Assess adequacy of logs maintained for ACH payments received from and
delivered to each customer.
2. Assess the balancing procedures used for all ACH payments received and whether
they include balancing to the aggregate payments sent to an ACH operator.
3. Assess whether the institution balances all payments received from an ACH
operator to the aggregate of payments delivered to customers.
4. Assess whether the institution verifies and authorizes the source of all ACH files
received for processing.
5. Assess whether the institution reconciles all general ledger accounts related to ACH
on a timely basis.
7. Assess whether the institution reconciles the ACH activity and pending file totals
daily with the ACH operator.
9. Assess the effectiveness of ACH holdover transactions and determine whether the
institution adequately controls them.
10. Assess whether accounting staff reconciles individual outgoing ACH batches before
merging them with other ACH transactions.
11. Determine whether there are separate accounts to control holdovers, adjustments,
return items, rejects, etc. and whether they are periodically reconciled.
12. Assess the effectiveness of the investigation unit to address customer inquiries and
control return items, rejected/unposted items, differences, etc. Determine whether
the unit periodically generates aging reports of outstanding items for management.
13. Assess whether management adequately tracks exceptions to credit limit policies
and legal contracts.
14. Determine whether exception reports (e.g., rejects, return items, and aging of open
items) receive appropriate management attention.
15. Assess the adequacy of separation of duties throughout the ACH process including
origination, data entry, adjustments, internal reconcilement, preparing general
ledger entries, posting to customer accounts, investigations, and reconcilement with
ACH operators.
16. Assess whether adjustments (e.g., added payments, stop payments, reroutes, and
reversals) to original ACH instructions are received in an area that does not have
access to the original data files.
17. Assess whether controls are appropriate for the adjustment process, including
authorization (e.g., signature verification and callbacks on telephone instructions)
and whether the institution maintains adequate records (e.g., logs and taping of
telephone calls) of individuals making requests.
18. Assess the customer profile origination and change request process. Consider
whether requests:
1. Assess the process for releasing payments to an ACH operator, and determine that
assurances are obtained that sufficient collected funds (e.g., on deposit or pre-
funded) or credit facilities are available. The institution should monitor customer
intraday and interday positions based on defined thresholds.
3. For prefunding arrangements in place for customers without credit lines, determine
if management blocks funds (held for disposition) or maintains them in separate
accounts until the transaction date.
4. For non pre-funded arrangements, the institution should place blocks on outgoing
payments to deposit accounts, apply them as reductions to credit lines, or include
them in the overall funds transfer monitoring process.
6. Assess whether management treats ACH debits deposited as uncollected funds and
whether they monitor any draws against these funds for debits originated by high-
risk customers.
7. Assess whether management approves draws against uncollected ACH deposits and
maintains documentation to support approvals for debits originated by high-risk
customers.
10. Ensure that the financial institution obtains and analyzes any audit conducted by the
ACH service provider, pursuant to the NACHA rule compliance audit requirement.
1. Determine whether the financial institution has adopted adequate policies and
procedures regarding ACH transactions involving Internet-initiated (WEB) entries.
Consider whether they:
• The institution makes tape recordings of all consumer oral authorizations. Also
determine if the institution provides written notice to the consumer, prior to
settlement date for the TEL entry, confirming the terms of the oral
authorization.
4. Determine if the ODFI conducts risk assessments of its originators and if the risk
assessments reflect a reasonable exercise of business judgment. Consider whether
the risk assessment includes evaluations of:
• Receiver authorizations.
1. Evaluate the ACH contingency plan, determine whether the financial institution has
tested it, and determine whether it includes provisions for partial or complete failure
of the system or communication lines between the institution, ACH operators,
customers, and associated data centers.
2. Based on the volume and importance of ACH activity, evaluate whether the plan is
reasonable and whether it provides for a reasonable recovery period.
4. Determine if data and program files are adequately retained and backed up at
off-premises facilities.
5. Determine if the center has established and tested procedures to recover and restore
data under various contingency scenarios.
6. Determine if the frequency and methods of testing contingency plans are adequate.
1. Determine whether the institution manages check return items effectively and
whether there are significant numbers of return items.
2. Determine if the institution records source document images for recovery if the
originals are lost in transit.
3. Note whether the institution reconciles batch dollar totals after processing.
4. Determine whether reject items are properly segregated from other work.
APPENDIX B: GLOSSARY
Acquirer fee Fee paid to the acquirer of the merchant sales draft. The acquirer
of the sales draft collects a merchant discount fee (or processing
fee) from the merchant for the costs associated with processing the
transaction.
Address verification Bankcard association service that verifies the customer provided
service (AVS) billing address matches the billing address on their credit card
account. The bankcard associations will not support merchants
that opt not to use AVS if those transactions are disputed and will
charge the merchant an additional 1.25 percent on those sales.
Authorization for A written or oral agreement between the originator and a receiver
ACH that allows payments processed through the ACH Network to be
deposited in or withdrawn from the receiver’s account at a
financial institution.
Automated clearing A central clearing facility that depository financial institutions use
house (ACH) operator to transmit and receive ACH entries. ACH operators are typically
a Federal Reserve Bank or a private-sector organization that
operates on behalf of a depository financial institution (DFI).
Automated teller ma- An electronic funds transfer (EFT) terminal that allows customers
chine (ATM) using a PIN-based debit (ATM) card to initiate transactions (e.g.,
deposits, withdrawals, account balance inquiries).
Bank Identification A series of assigned numbers used to identify the settling financial
Number/Interbank institution for both acquiring and issuing bankcard transactions.
Card Association
(BIN/ICA)
Bankcard associations Visa U.S.A. and MasterCard International Inc. are bankcard
associations established as bank service companies. Financial
institutions must be members of an association in order to offer
their credit card services. The associations have established
membership rights and obligations and membership is limited to
financial institutions.
Card issuer A financial institution that issues general-purpose credit cards car-
rying one of the two bankcard association logos. The issuing fi-
nancial institution establishes the credit relationship with the con-
sumer.
Card verification code Numeric security code printed on the back of MasterCard credit
(CVC2) cards. CVC2 reduces credit card fraud and chargeback instances
significantly when used in conjunction with AVS. See Address
verification service (AVS).
Card verification Three-digit security number that is printed on the back of most
value (CVV2) Visa credit cards. CVV2 reduces credit card fraud and chargeback
instances significantly when used in conjunction with AVS. See
Address verification service (AVS).
Check clearing The movement of a check from the depository institution at which
it was deposited back to the institution on which it was written.
The funds move in the opposite direction, with a corresponding
credit and debit to the involved accounts.
Check truncation The practice of holding a check at the institution at which it was
deposited (or at an intermediary institution) and electronically
forwarding the essential information on the check to the institution
on which it was written. A truncated check is not returned to the
writer.
Clearinghouse for In- A “real time”, multilateral final payments system for large dollar
ter-Bank Payment value business-to-business payment transactions between
Systems (CHIPS) domestic or foreign institutions that have offices located in the
United States. CHIPS is run by CHIP Co. L.L.C., a subsidiary of
the Clearing House.
Commercially reason- Hardware and software made available by a reputable firm for use
able in a commercial environment. Practices and procedures in wide-
spread use in the business community generally considered to rep-
resent prudent and reasonable business methods.
Correspondent bank An institution, acting on behalf of other institutions, that can settle
the checks they collect for other institutions (respondents) by
using accounts on their books or by sending a wire transfer.
Generally, a provider of banking and payment services to other
financial institutions.
Credit card A card indicating the holder has been granted a line of credit. It
enables the holder to make purchases or withdraw cash up to a
prearranged ceiling. The credit granted can be settled in full by
the end of a specified period or can be settled in part, with the
balance taken as extended credit. Interest is based on the terms of
the credit card agreement and the holder is sometimes charged an
annual fee.
Daylight overdraft A daylight overdraft occurs at any point in the business day when
the balance in an institution’s account becomes negative. Daylight
overdrafts can occur in accounts at Federal Reserve Banks as well
as at private financial institutions. Daylight credit can also arise in
the form of net debit positions of participants in private payment
systems. A daylight overdraft occurs at a Federal Reserve Bank
when there are insufficient funds in an institution’s Federal
Reserve Bank account to cover outgoing funds transfers or
incoming book-entry securities transfers. An overdraft can also be
the result of other payment activity processed by the Federal
Reserve Bank, such as check or automated clearinghouse
transactions.
Debit card A payment card issued as either a PIN-based debit (ATM) card or
as a signature-based debit card from one of the bankcard
associations. A payment card issued to a person for purchasing
goods and services through an electronic transfer of funds from a
demand deposit account rather than using cash, checks, or drafts at
the point-of-sale.
Direct presentment Depositary banks can present checks directly to the paying
institution. The paying institution may be the depositary bank (no
settlement is needed), or, if not, may settle on the books of the
Federal Reserve, using the Federal Reserve’s national settlement
service.
Electronic benefits A type of EFT system involving the transfer of public entitlement
transfer (EBT) payments, such as welfare or food stamps, through direct deposit
or point-of-sale technology (see POS). The recipient can be given
an identification card, similar to a benefit card, and a PIN allowing
access to the benefits through an electronic network.
Electronic check pre- Check truncation methodology in which the paper check’s MICR
sentment (ECP) line information is captured and stored electronically for
presentment. The physical checks may or may not be presented
after the electronic files are delivered, depending on the type of
ECP service that is used.
Electronic commerce A broad term encompassing the remote procurement and payment
(e-commerce) by businesses or consumers of goods and services through
electronic systems such as the Internet.
Electronic data cap- Process used for capturing and transferring the encoded
ture (EDC) information on the magnetic strip from a bankcard or debit card at
the point-of-sale (POS) to the processor’s database.
Electronic funds A generic term describing any transfer of funds between parties or
transfer (EFT) depository institutions through electronic data systems.
Electronic Funds The Electronic Funds Transfer Act and Regulation E are designed
Transfer Act (EFTA) to ensure adequate disclosure of basic terms, costs, and rights
relating to electronic fund transfer (EFT) services provided to
consumers. Institutions offering EFT services must disclose to
consumers certain information, including: initial and updated EFT
terms, transaction information, periodic statements of activity, the
consumer’s potential liability for unauthorized transfers, and error
resolution rights and procedures. EFT services include automated
teller machines, telephone bill payment, point-of-sale transfers in
retail stores, fund transfers initiated through the Internet, and
preauthorized transfers to or from a consumer’s account.
Federal Reserve The Federal Reserve Banks provide a variety of financial services
Banks including retail and wholesale payments. The Federal Reserve
Bank operates a nationwide system for clearing and settling
checks drawn on depository institutions located in all regions of
the United States.
Fedwire The Federal Reserve Bank’s nationwide real time gross settlement
electronic funds and securities transfer network. Fedwire is a
credit transfer system. Each funds transfer is settled individually
against an institution’s reserve or clearing account on the books of
the Federal Reserve. The transaction is considered an irrevocable
payment as it is processed.
Financial EDI (FEDI) Financial electronic data interchange. An instrument for settling
invoices by initiating payments, processing remittance data and
automating reconciliation, through the exchange of electronic
messages.
Interbank checks Checks that are not “on-us.” They are cleared and settled either
by direct presentment, a clearinghouse association, a
correspondent bank, or a Federal Reserve Bank.
Interchange (fees) Fees paid by one financial institution to another to cover handling
costs and credit risk in a bank card transaction. Interchange fees
generally flow toward the institution funding the transaction and
assuming risk in the process. In a credit card transaction, the
interchange fee is paid by the merchant acquirer accepting the
merchant’s sales draft to the card-issuing institution, and in turn
passes the fee to its merchants. In EFT/POS transactions,
interchange flows in the opposite direction: the card-issuing
institution (or customer) pays the fee to the terminal-owning
institution. When a transaction is an off-line debit sale, the card-
issuing institution collects an interchange fee from the merchant,
rather than from the customer, unlike in an EFT/POS transaction,
where the customer pays the interchange fee. Interchange revenue
is derived from fees set by the card associations. Depending on
the card association, fees can range from 1.0 to 3.0 percent of the
value of the transaction. Interchange revenue is recognized as a
card issuer’s second largest revenue line item.
Merchant processing Activity for the acceptance and settlement of bankcard products
and transactions from merchants through the payment system.
MICR-line informa- Refers to data characters at the bottom of a check. The magnetic
tion ink character recognition (MICR) line includes the routing number
of the payer bank, the amount of the check, the number of the
check, and the account number of the customer.
Multi-factor authenti- Strong authentication mechanism relying on more than one type of
cation authentication. A PIN or password alone is representative of
single factor authentication. Adding additional authentication
mechanisms would result in multi-factor authentication.
National Automated The national association that establishes the rules and procedures
Clearing House Asso- governing the exchange of automated clearinghouse payments.
ciation (NACHA)
Office of Foreign As- The Office of Foreign Assets Control, Department of the
sets Control (OFAC) Treasury, administers and enforces economic sanctions programs
primarily against countries and groups of individuals such as
terrorists and narcotics traffickers. The sanctions can be either
comprehensive or selective, using the blocking of assets and trade
restrictions to accomplish foreign policy and national security
goals.
On-us checks Checks that are deposited into the same institution on which they
are drawn.
Paying bank A paying bank is the institution where a check is payable and to
which it is sent for payment.
Payments System The Federal Reserve’s Payments System Risk (PSR) policy
Risk policy (PSR) addressing the risks that payment systems present to the Federal
Reserve Banks, the banking system, and to other sectors of the
economy.
Real time gross set- A type of payments system operating in real time rather than batch
tlement (RTGS) sys- processing mode. It provides immediate finality of transactions.
tem Gross settlement refers to the settlement of each transfer
individually rather than netting. Fedwire is an example of a real
time gross settlement system.
Reserve requirements The percentage of deposits that a depository institution may not
lend out or invest and must hold either as vault cash or on deposit
at a Federal Reserve Bank. Reserve requirements affect the
potential of the banking system to create transaction deposits.
Retail payments Payments, typically small, made in the goods and services market.
Return (ACH) Any ACH entry that has been returned to the ODFI by the RDFI
or by the ACH operator because it cannot be processed. The
reason for each return is included with the return in the form of a
“return reason code.” (See the NACHA “Operating Rules and
Guidelines” for a complete reason code listing.)
Settlement The final step in the transfer of ownership involving the physical
exchange of securities or payment. In a banking transaction,
settlement is the process of recording the debit and credit positions
of the parties involved in a transfer of funds. In a financial
instrument transaction, settlement includes both the transfer of
securities by the seller and the payment by the buyer. Settlements
can be “gross” or “net.” Gross settlement means each transaction
is settled individually. Net settlement means parties exchanging
payments will offset mutual obligations to deliver identical items
(e.g., dollars or EUROS), at a specified time, after which only one
net amount of each item is exchanged.
Settlement date The date on which an exchange of funds with respect to an entry is
(ACH) reflected on the books of the Federal Reserve Bank(s).
Standard entry class 3-character code in an ACH company/batch header record used to
(SEC) Code identify the payment type within an ACH batch.
Stored- value card A card-based payment system that assigns a value to the card.
The card’s value can be stored on the card itself (i.e., on the
magnetic stripe or in a computer chip) or in a network database.
As the card is used for transactions, the transaction amounts are
subtracted from the card’s balance. As the balance approaches
zero, some cards can be "reloaded" through various methods and
others are designed to be discarded. These cards are often used in
closed systems for specific types of purchases.
Third-party service A third party other than the ODFI or RDFI that performs any
provider (for ACH) function on behalf of the ODFI or the RDFI related to ACH
processing. These functions would include the creation and
sending of ACH files or acting as a sending or receiving point on
behalf of a participating DFI.
Truth in Lending Act Regulation Z (12 CFR 226) promulgated by the Board of
(TILA) Governors of the Federal Reserve System prescribing uniform
methods for computing the cost of credit, for disclosing credit
terms, and for resolving errors on certain types of credit accounts.
WEB SEC Code An ACH debit entry initiated by an originator resulting from the
receiver’s authorization through the Internet to make a transfer of
funds from a consumer account of the receiver.
LAWS
• 12 USC 1861-1867(c): Bank Services Company Act
• 12 USC 4001: Expedited Funds Availability Act
• 12 USC 5001: Check Clearing for the 21st Century Act
• 15 USC 1693: Electronic Funds Transfer Act
• 15 USC 6801 and 6805(b): Gramm-Leach-Bliley Act
• 18 USC 1: USA Patriot Act (Pub. L. No. 107-56)
• 31 USC 5311: Bank Secrecy Act
G UIDANCE
• Board of Governors of the Federal Reserve System Payments System Risk (PSR)
Policy, December 2001
• SR Letter 02–18: Section 312 of the USA Patriot Act—Due Diligence for Corre-
spondent and Private Banking Accounts, July 2003
G UIDANCE
• FIL 63-2003: Guidance on Identity Theft Programs, August 12, 2003
• FIL 39-2001: Identity Theft and Pretext Calling, May 9, 2001
• FIL 79-98: Electronic Financial Services and Consumer Compliance, July 16,
1998
G UIDANCE
• NCUA Letter to Credit Unions 01–CU–20: Due Diligence Over Third–Party Ser-
vice Providers, November 2001
• NCUA Letter to Credit Unions 01–CU–09: Identity Theft and Pretext Calling,
September 2001
• NCUA Regulatory Alert 01–RA–08: Interim Final Rules Amending Regulations
B, E, M, Z, and DD – Electronic Delivery of Required Disclosures, August 2001
• NCUA Letter to Credit Unions 01–CU–11: Electronic Data Security Overview,
August 2001
• NCUA Letter to Credit Unions 01–CU–10: Authentication in an Electronic Bank-
ing Environment, August 2001
• NCUA Regulatory Alert 01–RA–03: Electronic Signatures in Global and National
Commerce Act (E-Sign Act,) March 2001
• NCUA Letter to Credit Unions 01–CU–02: Privacy of Consumer Financial In-
formation, February 2001
• NCUA Letter to Credit Unions 00–CU–11: Risk Management of Outsourced
Technology Services (with Enclosure,) December 2000
• NCUA Letter to Credit Unions 00–CU–02: Identity Theft Prevention, May 2000
• NCUA Regulatory Alert 99–RA–3: Pretext Phone Calling by Account Informa-
tion Brokers, February 1999
G UIDANCE
• Office of the Comptroller of the Currency (OCC) Comptroller's Handbook: Credit
Card Lending, October 1996
• OCC Comptroller’s Handbook: Merchant Processing, December, 2001
• OCC Advisory Letter 96–7: Credit Card Pre-Approved Solicitations, September
1996
• OCC Advisory Letter 2000–6: Audit and Internal Controls, July 2000
• OCC Advisory Letter 2000–9: Third-Party Risk, August 2000
• OCC Advisory Letter 2000–10: Payday Lending, November 2000
G UIDANCE